A flaw in the website of micro-blogging service Twitter is being used to pump out pop-up messages and links to porn sites.
Users only have to move their mouse over the link - not click it - to open it in the browser.
Thousands of Twitter accounts have so far posted messages exploiting the flaw including Sarah Brown, the wife of former Prime Minister Gordon Brown.
The malicious links look like a random URL and contain the code "onmouseover".
He said that it looked like the initial vulnerability was exploited as a prank by users, but was now being spread by a worm, a self-replicating and malicious piece of code.
"Simply being logged into Twitter and viewing these pages could mean that your own Twitter account could be hacked," said Mr Cluley.
Until the flaw is fixed, users should use a third-party Twitter client - such as TweetDeck - rather than the Twitter.com website, he advised.
"Don't use the website," he said.
It is not the first time the service has suffered an attack.
In April 2009, another worm spread links to a rival site, again showing unwanted messages on infected user accounts.
Mr Cluley said that Twitter needs "much tighter control" over what users can contain in a tweet to prevent similar problems in the future.
Twitter was not immediately available for comment.
[Only registered and activated users can see links. ]